mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-10-21 14:38:46 +00:00
Add kubeadm init upload encrypted certs phase
This commit is contained in:
Yago Nobre
50
cmd/kubeadm/app/phases/uploadcerts/BUILD
Normal file
50
cmd/kubeadm/app/phases/uploadcerts/BUILD
Normal file
@@ -0,0 +1,50 @@
|
||||
load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = ["uploadcerts.go"],
|
||||
importpath = "k8s.io/kubernetes/cmd/kubeadm/app/phases/uploadcerts",
|
||||
visibility = ["//visibility:public"],
|
||||
deps = [
|
||||
"//cmd/kubeadm/app/apis/kubeadm:go_default_library",
|
||||
"//cmd/kubeadm/app/constants:go_default_library",
|
||||
"//cmd/kubeadm/app/phases/bootstraptoken/node:go_default_library",
|
||||
"//cmd/kubeadm/app/util/apiclient:go_default_library",
|
||||
"//cmd/kubeadm/app/util/crypto:go_default_library",
|
||||
"//pkg/apis/rbac/v1:go_default_library",
|
||||
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||
"//staging/src/k8s.io/api/rbac/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
||||
"//staging/src/k8s.io/cluster-bootstrap/token/util:go_default_library",
|
||||
"//vendor/github.com/pkg/errors:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "package-srcs",
|
||||
srcs = glob(["**"]),
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:private"],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "all-srcs",
|
||||
srcs = [":package-srcs"],
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:public"],
|
||||
)
|
||||
|
||||
go_test(
|
||||
name = "go_default_test",
|
||||
srcs = ["uploadcerts_test.go"],
|
||||
embed = [":go_default_library"],
|
||||
deps = [
|
||||
"//cmd/kubeadm/app/apis/kubeadm:go_default_library",
|
||||
"//cmd/kubeadm/app/constants:go_default_library",
|
||||
"//cmd/kubeadm/app/util/crypto:go_default_library",
|
||||
"//cmd/kubeadm/test:go_default_library",
|
||||
"//vendor/github.com/lithammer/dedent:go_default_library",
|
||||
],
|
||||
)
|
||||
205
cmd/kubeadm/app/phases/uploadcerts/uploadcerts.go
Normal file
205
cmd/kubeadm/app/phases/uploadcerts/uploadcerts.go
Normal file
@@ -0,0 +1,205 @@
|
||||
/*
|
||||
Copyright 2019 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package uploadcerts
|
||||
|
||||
import (
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path"
|
||||
"strings"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
rbac "k8s.io/api/rbac/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
bootstraputil "k8s.io/cluster-bootstrap/token/util"
|
||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||
nodebootstraptokenphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node"
|
||||
"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
|
||||
cryptoutil "k8s.io/kubernetes/cmd/kubeadm/app/util/crypto"
|
||||
rbachelper "k8s.io/kubernetes/pkg/apis/rbac/v1"
|
||||
)
|
||||
|
||||
const (
|
||||
externalEtcdCA = "external-etcd-ca.crt"
|
||||
externalEtcdCert = "external-etcd.crt"
|
||||
externalEtcdKey = "external-etcd.key"
|
||||
)
|
||||
|
||||
// createShortLivedBootstrapToken creates the token used to manager kubeadm-certs
|
||||
// and return the tokenID
|
||||
func createShortLivedBootstrapToken(client clientset.Interface) (string, error) {
|
||||
tokenStr, err := bootstraputil.GenerateBootstrapToken()
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error generating token to upload certs")
|
||||
}
|
||||
token, err := kubeadmapi.NewBootstrapTokenString(tokenStr)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error creating upload certs token")
|
||||
}
|
||||
tokens := []kubeadmapi.BootstrapToken{{
|
||||
Token: token,
|
||||
Description: "Proxy for managing TTL for the kubeadm-certs secret",
|
||||
TTL: &metav1.Duration{
|
||||
Duration: kubeadmconstants.DefaultCertTokenDuration,
|
||||
},
|
||||
}}
|
||||
|
||||
if err := nodebootstraptokenphase.CreateNewTokens(client, tokens); err != nil {
|
||||
return "", errors.Wrap(err, "error creating token")
|
||||
}
|
||||
return tokens[0].Token.ID, nil
|
||||
}
|
||||
|
||||
//CreateCertificateKey returns a cryptographically secure random key
|
||||
func CreateCertificateKey() (string, error) {
|
||||
randBytes, err := cryptoutil.CreateRandBytes(kubeadmconstants.CertificateKeySize)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return hex.EncodeToString(randBytes), nil
|
||||
}
|
||||
|
||||
//UploadCerts save certs needs to join a new control-plane on kubeadm-certs sercret.
|
||||
func UploadCerts(client clientset.Interface, cfg *kubeadmapi.InitConfiguration, key string) error {
|
||||
fmt.Printf("[upload-certs] storing the certificates in ConfigMap %q in the %q Namespace\n", kubeadmconstants.KubeadmCertsSecret, metav1.NamespaceSystem)
|
||||
decodedKey, err := hex.DecodeString(key)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
tokenID, err := createShortLivedBootstrapToken(client)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
secretData, err := getSecretData(cfg, decodedKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ref, err := getSecretOwnerRef(client, tokenID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
err = apiclient.CreateOrUpdateSecret(client, &v1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: kubeadmconstants.KubeadmCertsSecret,
|
||||
Namespace: metav1.NamespaceSystem,
|
||||
OwnerReferences: ref,
|
||||
},
|
||||
Data: secretData,
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return createRBAC(client)
|
||||
}
|
||||
|
||||
func createRBAC(client clientset.Interface) error {
|
||||
err := apiclient.CreateOrUpdateRole(client, &rbac.Role{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: kubeadmconstants.KubeadmCertsClusterRoleName,
|
||||
Namespace: metav1.NamespaceSystem,
|
||||
},
|
||||
Rules: []rbac.PolicyRule{
|
||||
rbachelper.NewRule("get").Groups("").Resources("secrets").Names(kubeadmconstants.KubeadmCertsSecret).RuleOrDie(),
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return apiclient.CreateOrUpdateRoleBinding(client, &rbac.RoleBinding{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: kubeadmconstants.KubeadmCertsClusterRoleName,
|
||||
Namespace: metav1.NamespaceSystem,
|
||||
},
|
||||
RoleRef: rbac.RoleRef{
|
||||
APIGroup: rbac.GroupName,
|
||||
Kind: "Role",
|
||||
Name: kubeadmconstants.KubeadmCertsClusterRoleName,
|
||||
},
|
||||
Subjects: []rbac.Subject{
|
||||
{
|
||||
Kind: rbac.GroupKind,
|
||||
Name: kubeadmconstants.NodeBootstrapTokenAuthGroup,
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func getSecretOwnerRef(client clientset.Interface, tokenID string) ([]metav1.OwnerReference, error) {
|
||||
secretName := bootstraputil.BootstrapTokenSecretName(tokenID)
|
||||
secret, err := client.CoreV1().Secrets(metav1.NamespaceSystem).Get(secretName, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "error to get token reference")
|
||||
}
|
||||
|
||||
gvk := schema.GroupVersionKind{Version: "v1", Kind: "Secret"}
|
||||
ref := metav1.NewControllerRef(secret, gvk)
|
||||
return []metav1.OwnerReference{*ref}, nil
|
||||
}
|
||||
|
||||
func loadAndEncryptCert(certPath string, key []byte) ([]byte, error) {
|
||||
cert, err := ioutil.ReadFile(certPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return cryptoutil.EncryptBytes(cert, key)
|
||||
}
|
||||
|
||||
func certsToUpload(cfg *kubeadmapi.InitConfiguration) map[string]string {
|
||||
certsDir := cfg.CertificatesDir
|
||||
certs := map[string]string{
|
||||
kubeadmconstants.CACertName: path.Join(certsDir, kubeadmconstants.CACertName),
|
||||
kubeadmconstants.CAKeyName: path.Join(certsDir, kubeadmconstants.CAKeyName),
|
||||
kubeadmconstants.FrontProxyCACertName: path.Join(certsDir, kubeadmconstants.FrontProxyCACertName),
|
||||
kubeadmconstants.FrontProxyCAKeyName: path.Join(certsDir, kubeadmconstants.FrontProxyCAKeyName),
|
||||
kubeadmconstants.ServiceAccountPublicKeyName: path.Join(certsDir, kubeadmconstants.ServiceAccountPublicKeyName),
|
||||
kubeadmconstants.ServiceAccountPrivateKeyName: path.Join(certsDir, kubeadmconstants.ServiceAccountPrivateKeyName),
|
||||
}
|
||||
|
||||
if cfg.Etcd.External == nil {
|
||||
certs[kubeadmconstants.EtcdCACertName] = path.Join(certsDir, kubeadmconstants.EtcdCACertName)
|
||||
certs[kubeadmconstants.EtcdCAKeyName] = path.Join(certsDir, kubeadmconstants.EtcdCAKeyName)
|
||||
} else {
|
||||
certs[externalEtcdCA] = cfg.Etcd.External.CAFile
|
||||
certs[externalEtcdCert] = cfg.Etcd.External.CertFile
|
||||
certs[externalEtcdKey] = cfg.Etcd.External.KeyFile
|
||||
}
|
||||
return certs
|
||||
}
|
||||
|
||||
func getSecretData(cfg *kubeadmapi.InitConfiguration, key []byte) (map[string][]byte, error) {
|
||||
secretData := map[string][]byte{}
|
||||
for certName, certPath := range certsToUpload(cfg) {
|
||||
cert, err := loadAndEncryptCert(certPath, key)
|
||||
if err == nil || (err != nil && os.IsNotExist(err)) {
|
||||
secretData[strings.Replace(certName, "/", "-", -1)] = cert
|
||||
} else {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
return secretData, nil
|
||||
}
|
||||
116
cmd/kubeadm/app/phases/uploadcerts/uploadcerts_test.go
Normal file
116
cmd/kubeadm/app/phases/uploadcerts/uploadcerts_test.go
Normal file
@@ -0,0 +1,116 @@
|
||||
/*
|
||||
Copyright 2019 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package uploadcerts
|
||||
|
||||
import (
|
||||
"encoding/hex"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path"
|
||||
"regexp"
|
||||
"testing"
|
||||
|
||||
"github.com/lithammer/dedent"
|
||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||
cryptoutil "k8s.io/kubernetes/cmd/kubeadm/app/util/crypto"
|
||||
testutil "k8s.io/kubernetes/cmd/kubeadm/test"
|
||||
)
|
||||
|
||||
func TestUploadCerts(t *testing.T) {
|
||||
tmpdir := testutil.SetupTempDir(t)
|
||||
defer os.RemoveAll(tmpdir)
|
||||
|
||||
}
|
||||
|
||||
//teste cert name, teste cert can be decrypted
|
||||
func TestGetSecretData(t *testing.T) {
|
||||
certData := []byte("cert-data")
|
||||
tmpdir := testutil.SetupTempDir(t)
|
||||
defer os.RemoveAll(tmpdir)
|
||||
cfg := &kubeadmapi.InitConfiguration{}
|
||||
cfg.CertificatesDir = tmpdir
|
||||
|
||||
key, err := CreateCertificateKey()
|
||||
if err != nil {
|
||||
t.Fatalf(dedent.Dedent("failed to create key.\nfatal error: %v"), err)
|
||||
}
|
||||
decodedKey, err := hex.DecodeString(key)
|
||||
if err != nil {
|
||||
t.Fatalf(dedent.Dedent("failed to decode key.\nfatal error: %v"), err)
|
||||
}
|
||||
|
||||
if err := os.Mkdir(path.Join(tmpdir, "etcd"), 0755); err != nil {
|
||||
t.Fatalf(dedent.Dedent("failed to create etcd cert dir.\nfatal error: %v"), err)
|
||||
}
|
||||
|
||||
certs := certsToUpload(cfg)
|
||||
for name, path := range certs {
|
||||
if err := ioutil.WriteFile(path, certData, 0644); err != nil {
|
||||
t.Fatalf(dedent.Dedent("failed to write cert: %s\nfatal error: %v"), name, err)
|
||||
}
|
||||
}
|
||||
|
||||
secretData, err := getSecretData(cfg, decodedKey)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to get secret data. fatal error: %v", err)
|
||||
}
|
||||
|
||||
re := regexp.MustCompile(`[-._a-zA-Z0-9]+`)
|
||||
for name, data := range secretData {
|
||||
if !re.MatchString(name) {
|
||||
t.Fatalf(dedent.Dedent("failed to validate secretData\n %s isn't a valid secret key"), name)
|
||||
}
|
||||
|
||||
decryptedData, err := cryptoutil.DecryptBytes(data, decodedKey)
|
||||
if string(certData) != string(decryptedData) {
|
||||
t.Fatalf(dedent.Dedent("can't decript cert: %s\nfatal error: %v"), name, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestCertsToUpload(t *testing.T) {
|
||||
localEtcdCfg := &kubeadmapi.InitConfiguration{}
|
||||
externalEtcdCfg := &kubeadmapi.InitConfiguration{}
|
||||
externalEtcdCfg.Etcd = kubeadmapi.Etcd{}
|
||||
externalEtcdCfg.Etcd.External = &kubeadmapi.ExternalEtcd{}
|
||||
|
||||
tests := map[string]struct {
|
||||
config *kubeadmapi.InitConfiguration
|
||||
expectedCerts []string
|
||||
}{
|
||||
"local etcd": {
|
||||
config: localEtcdCfg,
|
||||
expectedCerts: []string{kubeadmconstants.EtcdCACertName, kubeadmconstants.EtcdCAKeyName},
|
||||
},
|
||||
"external etcd": {
|
||||
config: externalEtcdCfg,
|
||||
expectedCerts: []string{externalEtcdCA, externalEtcdCert, externalEtcdKey},
|
||||
},
|
||||
}
|
||||
|
||||
for name, test := range tests {
|
||||
t.Run(name, func(t2 *testing.T) {
|
||||
certList := certsToUpload(test.config)
|
||||
for _, cert := range test.expectedCerts {
|
||||
if _, found := certList[cert]; !found {
|
||||
t2.Fatalf(dedent.Dedent("failed to get list of certs to upload\ncert %s not found"), cert)
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user